From: Tixe Exit [mailto:tixe at tixe dot com dot ar]
Sent: Friday, January 14, 2005 12:22 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] IPSec VPN
Importance: High
I haven on one point m0n0wall, and the other point, linksys RV042, and
the
VPN work fine, via TCP/IP i can see the other hosts, via ping, or
Terminal
Services, o http, but via netbios not, and i need that, to can use some
workstation to validate they accounts into a Windows 2000 AD server (
behind
the linksys is the 2000 AD and behind the m0n0wall are the Wks ).
[JM>] Fortunately for you "native" NetBIOS/NetBUI is pretty much
defunct. Win2k / XP / 2003 all run just fine in a strictly IP
environment. The quickest way to start browsing between sights would be
to point your remote site clients to your AD DNS server. Though in the
long run, you'll be better off setting up a second DNS server locally,
and making it a slave so that you won't be without DNS if the tunnel
goes down. Don't be fooled by Primary / Secondary DNS in Windows, as M$
is clearly confused and will pick one arbitrarily.
---
After the VPN work, i added a rule to permit the traficc from the LAN
Subnet
in to the linksys end point, to m0n0wall, a rule into WAN interface, and
the
some rule into LAN interface, that says, permit from Linksys Subnet, any
protocol, any port, to LAN Subnet any protocol, any port, but a cant
resolve
via netbios protocol, and in to the Linksys RV042 router i mark permit
the
netbios packets, but into m0n0 i not see nothing to that, i'm using the
las
m0n0 beta.
[JM>] You should not have to add any rules to be able to pass traffic
via the IPSEC tunnel, as the incoming traffic appears on the LAN
segment.
And other little thing more, i think that is a very good option, include
into m0n0wall VPN options (ipsec, and OpenVPN) the option where say
remote
gateway subnet IP, that permit a FDQN or Domain Name, becose if the
remote
point have a dynamic IP, is to hard stay changin the remote IP gateway
every
time that it change.
[JM>] Many of us would like to see this, but AFAIK it is a limitation of
the underlying software (raccoon).
Regards,
Josh McAllister